Don’t show me your private parts

01 Jul 2021

In this article we consider the extent to which the Protection of Personal Information Act, 2013 (POPI Act) may have taken things too far and how ordinary people living their ordinary lives might be affected. We also look at what ‘privacy’ is and how you can unintentionally show your private parts to the world, at which point it will be difficult to cover them up.

When new laws are introduced by Parliament, some of them settle fairly well into their place while others need some tweaks. The Competition Act of 1998, for example, was amended three times in the first two years. Although our POPI Act, as it’s known, is loosely based on the European General Data Protection Regulation (GDPR), South Africa’s law is stricter, at least on paper.

What is the intention of the lawmakers? The right to privacy is enshrined in our Constitution and it has found a voice in the POPI Act which focuses on the protection of what is termed ‘personal information’. Privacy is usually considered to mean freedom from public attention and the right to keep personal matters to oneself. Privacy in this Act has been interpreted to mean protection from having information obtained or misused (information which is personal and information of certain types of companies), or having information on individuals that can be used by unauthorised parties in ways that the individual never imagined nor consented to.

The lawmakers also intend the POPI Act and the Promotion of Access to Information Act, 2000 (PAIA) to be applied or at least considered together. This is because the protection of a right to privacy may be subject to justifiable limitations, including the right of access to information (also a Constitutional right) and the protection of the free flow of information. So, in applying the Acts, these other factors must also be considered. But how many people are going to know how to do that?

This table of private P-A-R-T-S may help you with some of the key concepts and terms to familiarise yourself with:

P	personal information, purpose and processing
A	access and authority
R	retention and re-use
T	termination and technology
S	security and specificity

Even so, without reading the Act, not many people will know what their personal information is and that they have a right to determine how it will be used in specific circumstances. The same can be said for understanding how personal information might be accessed, retained or re-used and how to terminate the unauthorised use of personal information. The POPI Act also requires everyone that has access to personal information to put some sort of policies in place in relation to retention, re-use and security of personal information.

In addition, under the Act, an Information Officer (IO) must be appointed within an organisation and each IO must be registered with the Information Regulator on the forms published on their site or electronically. The IO has numerous responsibilities, including the training of staff in the identification and processing of personal information internally but also externally when dealing with third parties who carry out some services for the IO’s organisation and end up processing personal information.

Effective 1 July 2021 many organisations including law firms, banks, insurance companies, doctors, hospitals, beauty salons, bowling clubs and maybe even book clubs could be at risk. Should a book club appoint an IO? It seems ludicrous that this could be the intention of the Act and, in any event, when joining the book club aren’t you consenting to the use of your personal information in relation to the book club? What if that information is used to invite the members to a braai? It doesn’t not appear that either activity falls within the ambit of the exclusions in sections 6 or 7 of the Act. This being the case, the book club chairperson would have to get exemption from the Information Regulator under section 37.

What about people who happily offer up their personal information to join the gym, subscribe to MTN or Vodacom or buy something on Takealot? They are disclosing their private parts, so to speak. As the Act stands, the terms and conditions of each of these organisations will need to include a reference to what personal information is to be collected (and it should be the minimum necessary to provide the service), how it will be accessed by the organisation and who will have authority to access it, the specific purpose of the retention and likely forms of re-use (which should not amount to amendment, deletion, collation or other use without permission), how the people signing up can terminate their consent to retain their personal information (which could be tricky if they are signed up to a long-term contract) and what security measures you intend to employ to protect that information, particularly if they are using technology.

It seems likely that some changes will need to be made to the POPI Act to protect people’s private parts, those parts of their lives that enable them to interact with friends and colleagues, form a Whatsapp group and keep updating the contacts on their phones. In the meantime, take advice on how best to prepare your organisation so that you can deal with personal information that you really do need, in a way that your customers and others can trust.

See also:

• With less than 100 days to go until POPIA kicks in, the Information Regulator may be starting to flex its muscles
• Registration of an Information Officer under PAIA and POPIA – Deadline looming….
• Getting compliant with the Protection of Personal Information Act (POPIA)
• Snap, crackle and POPI

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)